Assessment 2: 
Report on Information technology security : worm 


Damian A. James Williamson 


Edith Cowen University 
Graduate Program 


CYB6001.AC2 


31-Mar-2019 


Report on Information technology security: worm 


Table of Contents 


Report on Information technology S@CUrity: WOFM.......:cccccssececesseeececssaeeeesecaeeecesseeeeeeeseaaeeeeees 1 

PERO CIICE ING sss wheat ctecotats’es antatecate iin cig esol ounbwarosanoeccastinennesaducendedeianmeanen a nuctuuee dgwnxvueeaeinceneenage cutie. 1 

A description of the COMpUtEr WOFM: ........cccccesssccecssssececeessecececssauececessueeeceeseeeeeeesesaeeeeeseneees 1 

NCCE OM acai vedicvovecceuss feeteavevarsnndecetcayevesdudes tecteaverecgueltsvateavavessuaedvedeaguvectonsiuiedcaytvecsedyeusutuarveess 2 

EOE esa csepSsondite eedalGae teeters Gane ey Soe ese Gcmioneceninasan efoaesG oadee cee eck ened ead tect ead cneeaoonabeecdae 2 

MSE SALON a texereGeantascunarktoniancdonateatan tatu team nlen aaaapaiedten easement ea ea ORET 4 

PAY Gal eicseseccsceccasonniederetiiccceetadptacebiimabennbaetasaeiaitiaciadiedsectuepobsouudennnsulunsbentateinentln oben niaeneaGe 4 

PFOPAB ALON: fesuiecensnntetiedentssnladacataenentecdennnvetasaetetelaleretananetecessonlaldedentdcecsOuvereaswvecdesantetendenyds 4 

Neda Industrial Group - A Victim Of StUXINET? 0... eeceeetececeeneeeeesseeeecesseaeececssaaeeecesseneeeeeeeaes 4 

REPOFt SUMMARY. icesavcuceheses¥ensGascyessiieuseosdeevecbaviesuesapusvaesasaesdesudaevessveyauacdapus¥esdbevevessdsrusenseeeyyes 5 

VSPA ONS sicacxcu saccterieatea usta cep cent egtes oe visi tress cae etacu te acta aga tala uaa ag Ree tne me aanmades tess 5 

BOTS EN CS LIS Ges xinssnnadioermesbinaeiesl peat enieactentaganmay haa daieatuiuaidentaaana, dosnmehiaalondanadnatanaeiaameon 6 
Introduction: 


A computer worm was chosen from the assessment list for this report. Computer worms 
spread themselves and perform arbitrary programmed tasks. Adherence to practical 
computer security policy often mitigates the propagation and functioning of computer 
worms. In the case of the chosen research example, the Stuxnet worm was responsible for 
damage to equipment and significant expense. The report was researched through the use 
of computer internet search, locating industry information, news and, research articles, and 
additionally, previous personal endeavour including fieldwork. 


A description of the Computer Worm: 


It is not necessary for programs to have a function other than self-distribution in order to be 
classified as a computer worm since; there is the utilization of an exploit or attack ona 
vulnerability being the act of which is malicious. 


A computer worm is a program (malware) designed to distribute itself. Like all malware, a 
worm has malicious intent in its operation. There are several possible vectors for the 
propagation of the computer worm including removable media, network, and internet 
(ESET, n.d.-c). For the installation of the worm, an exploit utilized when a programmed 


vulnerability is accessed provides ingress (Arnold, Guck, Kumar, & Stoelinga, 2015). On the 
newly infected computer system, execution of the payload is accomplished by one of 
several methods and thereafter, the worm continues with its programmed task (payload) 
and propagates further. Execution may be self-congruent with installation or separate. 


Computer Worm 





4 Vector 


ae | ae 
4 os Exploit oN 
ree Ny, 


Payload 


\ Wes 






Paitto other computers. Worms can n epede through Propagation 


computer networks, e-mails, instant-messaging services, 
social networks, removable media and other channels. 
Unlike viruses, worms do not attach themselves to 
existing programs, however, some viruses do make use 
of worm- ike gpropacaion methods to spread themselves.” | 





FIGURE 1 - THE LIFE OF A COMPUTER WORM (ESET, n.d.-c) 


Vector 

The computer worm is self-replicating. Making use of file-transport or information-transport 
mechanisms to access portable USB media or network access, the worm, in either case via 
an exploit, duplicates its payload and required sub-code for installation, execution and 
propagation to other systems (CISCO, n.d.). Often this takes the form of infecting connected 
USB media or, via network and internet access services and applications (Arnold et al., 
2015). 


Exploit 

Locating a vector does not resolve that there is a vulnerability. A worm may utilize many 
programmed exploits to leverage any vulnerability and uses a specific sequence of 
programmed actions. The exploit itself is specific programming of a malicious nature that 
allows the worm to take action not intentionally allowed (ESET, n.d.-b). Variations of 
exploits include the use of weak passwords and glitches in unpatched systems and other as- 
yet-undisclosed vulnerabilities. 





FIGURE 2 — PROPAGATION OF A COMPUTER WORM 


Installation 

Through the exploit, the worm initiates the process of installation. In the case of a USB 
media, the operating system in a vulnerable form is utilized through autoruns to copy files 
and perform the installation (Arnold et al., 2015). /n the case of network transport, for a live 
installation, the exploit may be either code injection, weak passwords or, an exposed RPC 
service call. In the case of a dormant installation, the worm can wait for the necessary 
activation conditions, a computer restart or later activation by a service or, by user action. 


Payload 

Execution conditions for payload may be available immediately as a part of the installation. 
The payload is the purposeful part of the worm that performs its intended task (Kaspersky 
Lab, n.d.). A task may be simple, such as to continue distribution, or complex, to capture and 
decrypt secure communications. Any programmable task is accomplishable with sufficient 
access on a compromised system. 


Propagation 

As part of the payload, propagation relies on the operation of an exploit through a path 
worm<€-vector<vulnerability<exploit<-payload as briefly described. Thereby the 
installation process is repeated, and the worm distributes itself. Polymorphic worms make 
alterations to each iteration of their copied program to assist in avoiding detection by anti- 
malware software (ESET, n.d.-a). 


Neda Industrial Group - A victim of Stuxnet: 


The success of a computer worm relies on vectors and exploits; securing both vectors and 
vulnerabilities should be a focus of computer security. 


Neda Industrial Group is involved in the design and installation of industrial control systems. 
On July 22, 2009?, a worker at the company visited a user forum to report the company was 
having a particular issue reproduced on all computers, an issue that the worker believed to 
be caused by a computer virus. A specific Siemens Step 7 .DLL kept throwing an error that 
could not be resolved when USB flash drive media was used to transfer a copy of the file 
but, the error was not repeated with a clean copy of the file transferred by media such as a 
CD/DVD (Zetter, 2014). In reality, Stuxnet had struck Neda about two weeks earlier on July 
7, 2009 (GReAT, 2014)(Zetter, 2014). 


As a result of the infection at Neda and other similar companies, the Stuxnet 1.001 worm 
eventually made its way onto the enrichment systems at the Natanz facility in Natanz, Iran. 
The impact of this, whether from the updated worm or the original Stuxnet 0.5 worm, was 
the progressive, abnormal wear and failure of the centrifuge - no doubt a technical and 
financial impact as by estimate at least 984 attached hardware devices were affected 
(Zetter, 2014). 


Infection by the Stuxnet 1.001 worm breaches confidentiality, integrity and, availability 
(Byrnes & Proctor, 2002). 


When the Stuxnet 1.001 worm transmits information that it has acquired to its resources on 
the internet, that is a breach of confidentiality. The information may include private 
information identifying an individual computer including the computer name, IP address 
and, operating system version, and information revealing Supervisory Control And Data 
Acquisition (SCADA) software installation (ESET, n.d.-b)(Symantec, n.d.). Additionally, its 
payload includes the capability to steal data and execute arbitrary code (F-Secure, 
n.d.)(Symantec, n.d.). 


The worm alters files on the infected system and additionally writes files of its own, and that 
is a violation of integrity. The operation of Windows Defender and other services are 
modified. USB flash drive media is also compromised with several exploit files written 
automatically (ESET, n.d.-b)(Symantec, n.d.). 


Infected machines are reported to restart automatically and, targeted SCADA operated 
hardware is damaged, compromising availability (Zetter, 2014). Computer systems are 
sensibly taken out of service for the duration of the worm infection until rectified. 


What steps Neda took to rectify the worm once identified are not public to this report, and 
we do not know the origin point at the company. Anti-malware vendors included signature 
specific detection for Stuxnet as of at least July 2010 (ESET, n.d.-b)(Symantec, n.d.). Closing 
vectors and vulnerabilities would have been useful in preventing infection, such as effective 
computer security policy preventing bringing in or connecting of USB (or other external) 
media, quarantining of email attachments, and disabling autoruns to prevent non-SCADA 
software form propagation. 


Report Summary: 


Computer worms spread themselves, even without the need for a human interaction vector 
and certainly with the aid of human assistance. Neda was both a research target and vector 
of the Stuxnet worm ultimately leading to significant disruption and expense. Effective 
computer security policy would have assisted. Making use of competent and preferably 
independently validated anti-malware software may have assisted further. 


Definitions: 

Exploit: 

an attack to leverage access through a specific vulnerability. 
Malware: 


code or software that is specifically designed to damage, disrupt, steal, or in general 
inflict some other "bad" or illegitimate action on data, hosts, or networks. (CISCO, 
n.d.) 


Payload: 


is used to describe what a virus, worm or Trojan is designed to do ona victim’s 
computer. (Kaspersky Lab, n.d.) 


Polymorphism: 


The term used to describe a program that changes the order in which its instructions 
are stored on disk, executed in memory, etc. This creates a program that while 
functionally equivalent contains different code in each instance. Malware uses this 
technique to re-order its instructions in an attempt to evade detection. (ESET, n.d.-a) 


Worm: 


a self-replicating type of malware that can spread to other computers. Worms can 
spread through computer networks, e-mails, instant-messaging services, social 
networks, removable media and other channels. Unlike viruses, worms do not attach 
themselves to existing programs, however, some viruses do make use of worm-like 
propagation methods to spread themselves. (ESET, n.d.-c) 


Vulnerability: 


Specific weakness in methodology or design allowing the opportunity to exploit. When 
carrying a USB stick open across campus that is a vulnerability, as is exposed USB ports ona 
computer and software to access or connection to the internet or other computers, 
listening ports and bound services, and so forth, in a network. Some vulnerabilities are 
usually permitted by obscurity for the effectiveness of any regular use case with other 
ee (hopefully) mitigating arrangements such as anti-malware software or pre- 
checking. 


Reference List: 


Arnold, F., Guck, D., Kumar, R., & Stoelinga, M. (2015). Sequential and Parallel Attack Tree 
Modelling. https://doi.org/10.1007/978-3-319-24249-1 25 


Byrnes, F. C., & Proctor, P. E. (2002). Information Security Must Balance Business Objectives 
| Objectives of Computer Security | InformIT. Retrieved March 21, 2019, from 
http://www.informit.com/articles/article.aspx?p=26952 


CISCO. (n.d.). What Is the Difference: Viruses, Worms, Trojans, and Bots? - Cisco. Retrieved 
March 24, 2019, from https://www.cisco.com/c/en/us/about/security-center/virus- 
differences.html 


ESET. (n.d.-a). Polymorphism | ESET Virusradar. Retrieved March 24, 2019, from 
https://www.virusradar.com/en/glossary/polymorphism 


ESET. (n.d.-b). Win32/Stuxnet.A | ESET Virusradar. Retrieved March 21, 2019, from 
https://www.virusradar.com/en/Win32_Stuxnet.A/description 


ESET. (n.d.-c). Worm | ESET Virusradar. Retrieved March 21, 2019, from 
https://www.virusradar.com/en/glossary/worm 


F-Secure. (n.d.). Trojan-Dropper:W32/Stuxnet Description | F-Secure Labs. Retrieved March 
21, 2019, from https://www.f-secure.com/v-descs/trojan-dropper_w32_stuxnet.shtml 


GReAT. (2014). Stuxnet: Zero Victims | Securelist. Retrieved March 21, 2019, from 
https://securelist.com/stuxnet-zero-victims/67483/ 


Kaspersky Lab. (n.d.). Payload | Kaspersky Lab Encyclopedia. Retrieved March 30, 2019, 
from https://encyclopedia.kaspersky.com/glossary/payload/ 


Symantec. (n.d.). W32.Stuxnet | Symantec. Retrieved March 21, 2019, from 
https://www.symantec.com/security-center/writeup/2010-071400-3123-99 


Zetter, K. (2014). An Unprecedented Look at Stuxnet, the World’s First Digital Weapon | 
WIRED. Retrieved March 21, 2019, from https://www.wired.com/2014/11/countdown- 
to-zero-day-stuxnet/ 


